The Looming CISO Mental Health Crisis — and What to Do About It, Part 1

The next big threat to corporate security may not be a new strain of malware or innovative attacker tactics, techniques, and processes. It may be our own mental health.

For the past 20 years, I’ve served as CISO for companies in different sectors. In this role, I have shouldered responsibility for protecting each organization from a wide swath of rapidly developing cybersecurity threats. I have also learned firsthand how much stress security leaders face day to day.

Recent conversations with my peers have shown stress in cybersecurity is an industry-wide problem. The CISO role is one of the most stressful in any organization. And the security function — writ large across every company type and industry sector — stands on the precipice of a stress-induced crisis.

What Sets the CISO Role Apart
The security team is hardly the only group under pressure. Other corporate functions, and other executives, must meet elevated and sometimes unrealistic expectations. But what makes the CISO position unique is its relative newness; most jobs in a modern organization have been around for decades, so they’re fairly well-defined. Companies have had many years to flesh out the responsibilities and accountabilities of the CEO, CFO, and COO, for example, and to develop processes that ensure their functions work smoothly.

By comparison, the corporate security function is a bit like the Wild West. From the CISO down, throughout the hierarchy, security roles are new and immature relative to many corporate positions. Thus, the CISO often ends up catching responsibility for everything that could possibly go wrong with an organization’s digital presence. That gives the CISO a remit of astounding breadth.

If consumer data is compromised, the CISO may be held responsible for all the compliance, customer service, and brand implications that result. If fraudulent payments go through, the financial fallout may belong to the CISO. If machinery is damaged or processes disrupted through ransomware or another attack, that comes back to the CISO. If employees place corporate data in a cloud-based system, the CISO likely bears the responsibility, even if the security teams aren’t aware the data transfer is happening. And if some new and previously unknown type of threat compromises systems in ways no one could have anticipated, once again: It’s on the CISO. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *